Alert number: KAIFA-KSIRT-202411-15
Published : 2024/11/15
Updated : 2024/11/15
1. Vulnerability Overview
XStream is a tool for converting Java objects to and from XML.
Recently, it was detected that a heap overflow denial of service vulnerability (CVE-2024-47072) was fixed in XStream. An attacker can construct a specific binary data stream as input, causing infinite recursion during deserialization, thereby triggering a stack overflow, causing the application to crash and cause service interruption, resulting in a denial of service.
It is recommended that affected users conduct self-inspection of their assets and take preventive measures to avoid being attacked by hackers.
2. Versions and fixes
|
Affected Products |
Patched version |
Affected versions |
|
XStream |
XStream >= 1.4.21 |
XStream < 1.4.21 |
III. Impact and Consequences
Threat actors can construct malicious HTTP requests to access any file that the Spring application process has access to on the target file system, resulting in data leakage.
Vulnerability Scoring
Vulnerability using KAIFA AMI scoring rules for grading
Final score: 7.5
V. Technical Details
The prerequisite for exploiting the vulnerability is when XStream is configured to use BinaryStreamDriver.
Vulnerability details:
Recently, we detected a heap overflow denial of service vulnerability (CVE-2024-47072) fixed in XStream. In versions prior to XStream 1.4.21, when XStream was configured to use BinaryStreamDriver, due to improper handling when deserializing certain specific inputs, an attacker could construct a specific binary data stream as input, causing infinite recursion during deserialization, thereby triggering a stack overflow, crashing the application and causing service interruption, resulting in a denial of service.
6. Circumvention Measures
none
7. Version acquisition path
Services that support automatic updates will receive system update prompts, and users can perform system updates to fix the vulnerabilities. Or they can manually download official website plug-ins to update and fix the vulnerabilities.
8. Vulnerability Source
Supplier notification
IX. Update Records
KAIFA-KSIRT-Initial
10. FAQs
none
11. Developing external security response services
K AIFA has always advocated doing its utmost to protect the ultimate interests of product users, following the principle of responsible disclosure of security incidents, and handling product safety issues through the product safety issue handling mechanism.
12. Statement
This document is provided "as is" without any express, implied or statutory warranty, including (but not limited to) the warranty of merchantability, fitness for purpose and non-infringement. In no event shall K AIFA or its directly or indirectly controlled subsidiaries, or its suppliers, be liable for any loss, including direct, indirect, incidental, consequential loss of business profits or special damages. You shall bear all legal liabilities arising from the use of this document in any way. K AIFA may modify or update the content and information contained in this document at any time.